-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 06 Feb 2024 13:54:51 +0100 Source: postgresql-13 Architecture: source Version: 13.14-0+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers Changed-By: Christoph Berg Changes: postgresql-13 (13.14-0+deb11u1) bullseye-security; urgency=medium . * New upstream version. . * Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (Heikki Linnakangas) . One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. Fix things so that all user-determined code is run as the view's owner, as expected. . The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2024-0985) Checksums-Sha1: 2d758e5b0e5bae20ba52c26e487a93a74e9b6a1d 3703 postgresql-13_13.14-0+deb11u1.dsc 79dbababe688d5589fa1d255656bf2e8e35730ce 21584146 postgresql-13_13.14.orig.tar.bz2 fdc6b36d45b7b613d280ca5324c7533d7560864b 34724 postgresql-13_13.14-0+deb11u1.debian.tar.xz Checksums-Sha256: 50ce2b604ada87ca68f2206d9968aa55dc4e5e4733daeee8734471c4a43bb860 3703 postgresql-13_13.14-0+deb11u1.dsc b8df078551898960bd500dc5d38a177e9905376df81fe7f2b660a1407fa6a5ed 21584146 postgresql-13_13.14.orig.tar.bz2 801200e90899fd6f9468f4c16f9cbc9fa56588e0f2cd751f953fb494f8589472 34724 postgresql-13_13.14-0+deb11u1.debian.tar.xz Files: 2ac9c3c2f0cb1d4b63bca347433d639d 3703 database optional postgresql-13_13.14-0+deb11u1.dsc ed4b42c9b53c04d7d601327eacfcd231 21584146 database optional postgresql-13_13.14.orig.tar.bz2 6177d5bd434361aec9b09e1f52783733 34724 database optional postgresql-13_13.14-0+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmXMtHAACgkQTFprqxLS p64Mkw//fTwPZmtReA3o/Dp9sS58ZKH+vKPE65/uWWon9MvMKixdWA9W4koHuYaz TPPwY2iB4AmjYWivorHqAu6cem8JurDpx1joTBkaW7QWnCmZC1zbUdL3JUdDobNB 0EtNmA9WQrM+DK/CKwyuNo3JagLG+DhKk+cHKN5UJUCoNJ0gqNclFS+Xn6ph83Se fduiW4b0C9DQbtIVr0UNCscMYcOC7FEtS3cgA6uotOeaCtja/6NEJGz2noR3kuJQ OO1SB9qaI3Ckk+5rYNjLdyPNtRX3IFwPq0ZtTLIMVyrp6AT1TmHleiP8pQthrHi9 un1yK5Qo1r40gKHk/MPg2ipf3tXSU9l/zmbqszMb27r1QfOMI/hNK0i3fcUL+8kQ Ak0HqiulbquUYGsSXpU+7q/P/y+gd0pK9b8PExME8u7RtkPUCUCzWSVbCT6OmBLt kv4btAZ2hefa2D6XOXARVU+21OwqvwxvijVzp3bt8xTrIzZ5v4eoOIf5WH4e8Mw5 jOpC35r69Pm34iW4/qZ2edtn8xx23f1iZrNYqEkE0Pe+i2E6LHrvHHAsWEZZeTFM pobZzIqxktbBHRvWOVd/t6RjVjtZkU1kicmxJSLlB70Lw9ftiO7G0H4Z3Dz2pbD8 bv/qs1Dan5qEyqr3znSsqM+dM2K0DcvRT8JBW1NTsRkCILLRszo= =yyvu -----END PGP SIGNATURE-----